Published: 2009-12-26T06:53+00:00
Last Updated: 2009-12-26T06:53+00:00
JVNTR-2009-27
Microsoft Updates for Multiple Vulnerabilities (TA09-342A)
Overview
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office.
Event Information
| Date (UTC) | Description |
| 2009-12-09 03:03 |
JPCERT/CC JPCERT-AT-2009-0025: December 2009 Microsoft Security Bulletin (three critical patches) |
| 2009-12-08 23:25 |
Microsoft ms09-dec: Microsoft Security Bulletin Summary for December 2009 Included in this advisory are updates for newly discovered vulnerabilities. |
| 2009-12-08 22:05 |
US-CERT TA09-342A: Microsoft Updates for Multiple Vulnerabilities Via US-CERT Mailing List |
| 2009-12-08 22:04 |
Fortinet, Inc. FGA-2009-16: Fortinet Discovers Microsoft Office Project Vulnerability (MS09-074) Project Memory Validation Vulnerability (CVE-2009-0102, MS09-074) The vulnerability lies in "winproj.exe", which is used when processing a Project file. A maliciously crafted document may contain a list structure with a malformed element field, that when processed, will result in memory corruption and allow a remote attacker to arbitrarily execute code on the victims machine. |
| 2009-12-08 21:47 |
Microsoft Microsoft Security Advisory (977981): Vulnerability in Internet Explorer Could Allow Remote Code Execution Internet Explorer Vulnerability (CVE-2009-3672) Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-072 to address this issue. |
| 2009-12-08 21:04 |
SANS Internet Storm Center December 2009 Black Tuesday Overview Overview of the December 2009 Microsoft patches and their status. |
| 2009-12-08 18:28 |
Symantec ThreatCON (2) => (2) On December 8, 2009, Microsoft issued six Security Bulletins to address a number of critical security flaws. Successful exploitation of many of these issues will likely result in remote code execution. |
| 2009-12-08 17:31 |
US-CERT Microsoft Releases December Security Bulletin US-CERT Current Activity Microsoft has released an update to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for December 2009. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. |
| 2009-12-03 19:18 |
Microsoft ms09-dec: Microsoft Security Bulletin Advance Notification for December 2009 Included in this advisory are updates for newly discovered vulnerabilities. |
| 2009-11-26 15:11 |
SANS Internet Storm Center Microsoft Security Advisory (977981) Further information has been released regarding Microsoft Security Advisory (977981), previously reported here by Marc and Rick to include mitigation factors. |
| 2009-11-26 03:20 |
Microsoft Microsoft Security Advisory (977981): Vulnerability in Internet Explorer Could Allow Remote Code Execution Internet Explorer Vulnerability (CVE-2009-3672) This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. |
| 2009-11-24 01:56 |
Microsoft Microsoft Security Advisory (977981): Vulnerability in Internet Explorer Could Allow Remote Code Execution Internet Explorer Vulnerability (CVE-2009-3672) Microsoft is investigating new public reports of a vulnerability in Internet Explorer. |
| 2009-11-24 01:50 |
SANS Internet Storm Center Microsoft Security Advisory 977981 - IE 6 and IE 7 Related to Marc's Diary from 11/23, Microsoft has released Security Advisory 977981. |
| 2009-11-23 05:34 |
Bugtraq Code to mitigate IE STYLE zero-day Vulnerability Proof Of Concept (CVE-2009-3672) #Cid:37085-2.html |
| 2009-11-22 03:58 |
SANS Internet Storm Center IE6 and IE7 0-Day Reported (Version: 3) A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page. |
| 2009-11-20 18:04 |
Bugtraq IE7 Vulnerability Proof Of Concept (CVE-2009-3672) #Cid:37085.html |
| 2009-08-10 |
Zero Day Initiative (ZDI) ZDI-09-088: Microsoft Internet Explorer IFrame Attributes Circular Reference Dangling Pointer Vulnerability Uninitialized Memory Corruption Vulnerability (CVE-2009-3674, MS09-072) Vulnerability Reported The specific flaw exists during deallocation of a circular dereference for a CAttrArray object. If the CAttrArray object has been freed prior to the tearing down of the webpage, the application will access the freed memory during the deallocation of the circular dereference. This can lead to code execution under the context of the currently logged in user. |
| 2009-07-21 |
Zero Day Initiative (ZDI) ZDI-09-087: Microsoft Internet Explorer CSS Race Condition Code Execution Vulnerability Uninitialized Memory Corruption Vulnerability (CVE-2009-3673, MS09-072) Vulnerability Reported The specific flaw exists during a race condition while repetitively clicking between two elements at a fast rate. When clicking back and forth between these two elements a corruption occurs resulting in a call to a dangling pointer which can be further leveraged into code execution via a heap spray. Exploitation of this vulnerability will lead to remote system compromise under the credentials of the currently logged in user. |
| 2009-06-23 |
Zero Day Initiative (ZDI) ZDI-09-086: Microsoft Internet Explorer XHTML DOM Manipulation Memory Corruption Vulnerability Uninitialized Memory Corruption Vulnerability (CVE-2009-3671, MS09-072) Vulnerability Reported The specific flaw exists in the manipulation and parsing of certain HTML tags. The ordering of various objects in a malformed way results in memory corruption resulting in a call to a dangling pointer which can be further leveraged via a heap spray. Exploitation of this vulnerability will lead to remote system compromise under the credentials of the currently logged in user. |
| 2009-06-09 |
iDefense Microsoft Internet Explorer HTML Layout Engine Uninitialized Memory Vulnerability HTML Object Memory Corruption Vulnerability (CVE-2009-3672, MS09-072) Vulnerability Reported The vulnerability exists due to an uninitialized stack variable in the 'CLayout::EnsureDispNode' method. This method is called to recalculate the location of various HTML elements within the page. This function passes a 'CDispNodeInfo' object to another function, 'CLayout::GetDispNodeInfo', which is supposed to initialize the object passed in. However, the function fails to properly initialize a flags value that is used later to determine how many "extra" bytes to allocate for a heap buffer. |
| 2008-12-18 |
iDefense Microsoft WordPad Word97 Converter Integer Overflow Vulnerability WordPad and Office Text converter Memory Corruption Vulnerability (CVE-2009-2506, MS09-073) Vulnerability Reported The vulnerability occurs when parsing the DocumentSummaryInformation stream inside of a DOC file. This stream is used to provide information about the author of the document, date of creation, and similar data. Part of the data in this stream is a sequence of property name and value pairs. When reading in the names of these properties, the code performs a calculation using a 32bit integer from the file that represents the number of names present. The value is used without any check on its bounds, which can lead to an integer overflow. |